Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. A Windows Server 2003-based enterprise CA issues certificates that have incorrect alternate subject names and the certificates are not Network Access Protection (NAP)-compliant

A Windows Server 2003-based enterprise CA issues certificates that have incorrect alternate subject names and the certificates are not Network Access Protection (NAP)-compliant

View products that this article applies to.

Symptoms

Consider the following scenario:
  • A Windows Server 2003-based computer hosts an enterprise certification authority (CA).
  • The enterprise CA issues certificates by using a customized certificate template.
  • The certificate template is configured to include the user principal name (UPN) or the service principal name (SPN) in the alternate subject name.
In this scenario, all certificates that are issued by using the customized certificate template have incorrect alternate subject names. The alternate subject name is a Domain Name System (DNS) name instead of a UPN or an SPN.

This problem prevents the enterprise CA from issuing Network Access Protection (NAP)-compliant computer certificates.

↑ Back to the top

Resolution

To resolve this problem, apply hotfix 961515. For more information about hotfix 961515, click the following article number to view the article in the Microsoft Knowledge Base:
961515 The subject name of a computer certificate that is issued by a Windows Server 2003-based server is set to the user principal name (UPN) of the computer account after you apply hotfix 943089

Hotfix information

Prerequisites

To apply this hotfix, you must have Windows Server 2003 Service Pack 1 or Windows Server 2003 Service Pack 2 installed on the computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix is replaced by hotfix 961515.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2003 with Service Pack 1, x86-based versions
File nameFile versionFile sizeDateTimePlatform
Certpdef.dll5.2.3790.3017118,27229-Sep-200705:02x86
Windows Server 2003 with Service Pack 2, x86-based versions
File nameFile versionFile sizeDateTimePlatform
Certpdef.dll5.2.3790.4161118,27229-Sep-200705:11x86
Windows Server 2003 with Service Pack 1, Itanium-based versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certpdef.dll5.2.3790.3017300,03229-Sep-200702:53IA-64SP1Not applicable
Wcertpdef.dll5.2.3790.3017118,27229-Sep-200702:53x86SP1WOW
Windows Server 2003 with Service Pack 2, Itanium-based versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certpdef.dll5.2.3790.4161300,03229-Sep-200703:16IA-64SP2Not applicable
Wcertpdef.dll5.2.3790.4161118,27229-Sep-200703:16x86SP2WOW
Windows Server 2003, x64-based versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certpdef.dll5.2.3790.3017178,68829-Sep-200702:53x64SP1Not applicable
Wcertpdef.dll5.2.3790.3017118,27229-Sep-200702:53x86SP1WOW
Windows Server 2003 with Service Pack 2, x64-based versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Certpdef.dll5.2.3790.4161178,68829-Sep-200703:18x64SP2Not applicable
Wcertpdef.dll5.2.3790.4161118,27229-Sep-200703:18x86SP2WOW

This hotfix fixes an issue that occurs when the CT_FLAG_SUBJECT_ALT_REQUIRE_UPN flag is set in a computer template. When this flag is set, the policy module puts the DNS name of the computer in the Subject Alt Name (SAN) field. This is not the expected behavior. The following behavior occurs after you install the hotfix:
  • The first time, the certification authority (CA) policy module queries the explicit UPN attribute of the computer in Active Directory. If the entry in this attribute is found, this entry will be written in the certificate SAN field.
  • If no entry is found in the explicit UPN attribute of the computer, the implicit UPN is created by using the samAccountName Active Directory attribute together with the domain name.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More information

NAP is a new platform that performs the following jobs:
  • NAP performs computer health policy validation.
  • NAP guarantees ongoing compliance with health policies.
  • NAP optionally restricts the access of computers that do not comply with system health requirements until the health state of these computers can be corrected.
For more information about NAP, visit the following Microsoft TechNet Web site:
https://www.microsoft.com/technet/network/nap/napoverview.mspx
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: kbexpertiseinter, kbwinserv2003postsp2fix, kbbug, kbfix, kbHotfixServer, kbqfe, KB943089

↑ Back to the top

Article Info
Article ID : 943089
Revision : 4
Created on : 10/8/2011
Published on : 10/8/2011
Exists online : False
Views : 186